the burden is on the sender to prove that consent was obtained when it is disputed

Consent is Disputed

bringing accountability to a barely regulated industry

What is this?

I don't always get spam, but when I do, I exercise my rights under the Spam and Privacy Acts.

Of all the unsolicited commercial messages that I have followed up on, I have never once been provided with evidence of consent. At best I have received a variation of the following:

  • "Look at this screenshot from our internal system where we ticked the box saying you consented" or
  • "You entered an online competition that gave us consent to use your data"

Rather than just let these multi-billion dollar corporations and government agencies get away with commercialising my data without my consent and just telling me to unsubscribe, I have instead: 

  • insisted that they meet their legally mandated obligations and
  • rated all of them on how they handled these requests

This site aims to bring some accountability to those in, and leveraging, the direct marketing industry who have been getting away with these practices for years.

These publicly published reports form the basis for the detailed submissions into the OAIC complaint process.

Let's see if sunlight really is the best disinfectant.

How we got here

In 2008, I provided my profile data to an e-tag company, using an email address that specifically included the company's name. This email address was exclusively given to that particular company, and was solely used to receive statements during a nine-month period in 2008.

During that time, the associated privacy policy explicitly prohibited the use or disclosure of my personal information for marketing purposes, and gave the option to close my account if that policy should ever change. This policy remained unchanged when I closed my account.

13 years later, I began receiving unsolicited commercial messages at this email address.

This prompted a 3 year (and counting) investigation into the direct marketing industry, aiming to uncover how my personal information was disclosed, obtained and sold, using the two key elements of the Spam and Privacy Acts designed to protect us and afford us rights over our own data.

During this time, a number of other unrelated businesses also sent unsolicited commercial messages, and were also unable to meet their obligations. Some of the parallels between these unrelated events and businesses appeared suspiciously consistent.

 Those interactions will also be published here.

A few anonymised interaction samples and ratings

(tap, click or swipe right and left for more)

Our Data Rights

Disclaimer: I am not a lawyer. I don't even play one on TV. 

The following is based on my interpretation of the Spam & Privacy Acts. These have been stated repeatedly to every party involved in these matters, and has never once been contradicted or challenged by anyone that I have asked to comply with this interpretation. However, I am always open to any clarifications if any of the following misrepresents our rights under these acts.

The two key elements of the Spam and Privacy Acts that I have found advertisers, direct marketers and their data brokers often fail to comply with are:

  1. Retaining evidence of consent
  2. Providing their source of our data

Spam Act 2003

Section 16 (1), (2) & (5)

This section of the Spam Act 2003 protects individuals from receiving unsolicited commercial electronic messages. It puts the burden of proof on direct marketers to show that they have obtained the recipient's consent.

(1) A person must not send, or cause to be sent, a commercial electronic message that:
 (a) has an Australian link; and
 (b) is not a designated commercial electronic message.
(2) Subsection (1) does not apply if the relevant electronic account holder consented to the sending of the message.
(5) A person who wishes to rely on subsection (2), (3) or (4) bears an evidential burden in relation to that matter.

Australian Privacy Principle (APP) 7

Direct Marketing

Australian Privacy Principle 7 deals with the protection of personal information in the context of direct marketing. It requires organizations to inform individuals of the source of their personal information when requested.

7.45 An individual may ask an organisation to identify the source of the personal information that it uses or discloses for the purpose of direct marketing, or for the purpose of facilitating direct marketing by other organisations (APP 7.6(e)).
7.46 The organisation must then notify the individual of its source, unless this is impracticable or unreasonable (APP 7.7(b)). It is the responsibility of the organisation to be able to justify that it is impracticable or unreasonable to provide this notification.
7.47 Notification of the source of the personal information must be given within a reasonable period after the request is made (APP 7.7(b)). A ‘reasonable period’ would generally be 30 days unless special circumstances apply.

ACMA & ACCC Guidance

In addition to the above regulations, the ACMA and ACCC provides the following statements:

Know your responsibilities for email lists
Take care when you buy or use a marketing list.
You are still responsible for making sure you have consent for any addresses you use.

Most Australian businesses use advertising to promote their goods and services. Whether they advertise through television, radio, the internet or print media, they must ensure that their advertising complies with the law.

Where are the reports?

With over 3 years worth of correspondence to add annotate, rate and publish, updates will be pushed out over time.

The Change Log will track all updates as they are made. Once an update is logged, a post will also be published on LinkedIn.